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WHAT IS CLAIMED IS: 



ne of: 




1. A function randomness evaluating apparatus comprising at least 



higher-order-differential cryptanalysis resistance evaluating means 
for calculating the minimum value of the degree of a Boolean polynomial 
for input bits by wnich output bits of a function to be evaluated are 
expressed, and evaluating that the larger said minimum value, the higher 
the resistance of sard function to higher order differential cryptanalysis is; 

interpolationVcryptanalysis resistance evaluating means for: when 
fixing a key y and letting x denote the input of a function to be evaluated, 
expressing an output y by y = 4(x) using a polynomial over Galois field 
which is composed oflelements equal to a prime p or a power of said prime 
p; calculating the numoer of terms of said polynomial; and evaluating the 
resistance of said func^on to interpolation cryptanalysis based on the result 
of said calculation; 

partitioning-cry^tanalysis resistance evaluating means for: dividing 
all inputs of a function to be evaluated and the corresponding outputs into 
input subsets and outputlsubsets; calculating an imbalance of the 
relationship between the subset of an input and the subset of the 
corresponding output witn respect to their average corresponding 
relationship; and evaluating the resistance of said function to partitioning 
cryptanalysis based on the result of said calculation; and 

differential-linear-arvptanalysis resistance evaluating means for: 
calculating, for all sets of ihput difference Ax and output mask value r y of 
a function S(x) to be evaluated, the number of inputs x for which the iimer 
product of (S(x)+S(x A x)) and said output mask value Ty is 1; and 
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evaluating the resistance of said function to differential-linear cryptanalysis 
based on the resuW of calculation. 

2. The function randomness evaluating apparatus of claim 1, 
wherein: \ 

said partitionmg-cryptanalysis resistance evaluating means is means 
for: dividing an input set F and an output set G of said function into u input 
subsets {Fo, F^, ... , Fu-im^id v output subsets {Gq, G^, ... , G^.i}; for each 
partition-pair (Fj, Gj) (i 4 0, ... , u-1; j = 0, 1, ... , v-1), calculating the 
maximum one of probabilities that all outputs y corresponding to all inputs x 
of the input subset F^ belong to the respective output subsets Gj (j = 0, ... , v- 
1); calculating a measure Is(F, G) of an average imbalance of a partition-pair 
(F, G) based on all maximum values calculated for all partition pairs; and 
evaluating the resistance of said function to said partitioning cryptanalysis 
based on said measure; and\ 

said differential-linea* cryptanalysis resistance evaluating means is 
means for: calculating the following equation for every set of said input 
difference Ax except 0 and said output mask value Ty except 0 

(Aa:, Ty) = |2x#{jceGF(2)" \(S(x) + S(x + Ax)) • Ty = 1} - 2" | ; 

calculating the maximum value! S among the calculation results; and 
evaluating the resistance of saidifunction to said differential-linear 
cryptanalysis based on said value H . 

3. The function randomness evaluating apparatus of claim 1 or 2, 
further comprising at least one ofl 

differential-cryptanalysis resistance evaluating means for calculating, 
for a function S(x) to be evaluated! the number of inputs x that satisfy 
S(x)+S(x+S(x+ A x)= A y for every set (Ax, Ay) and evaluating the 
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resistance of said fiinction to differential cryptanalysis based on the result of 
said calculation; anc 

linear-cryptai\alysis resistance evaluating means for calculating, for a 
function to be evaluated, the number of inputs x for which the inner product 
of the input x and its mask value Fx is equal to the inner product of a 
function output value S(^) and its mask value Ty and evaluating the 
resistance of said function to linear cryptanalysis based on the result of said 
calculation. 

4, The randomness evaluating apparatus of claim 3, wherein said 
linear-cryptanalysis resistance evaluating means is means for calculating the 
following equation 



for every set of mask values ft r x, r y) except r y=0, and evaluating the 
resistance of said function to said linear cryptanalysis based on a criterion 
defined by the following equation 

= maxA5(rjt,ry). 

5. The randomness evaluating apparatus of claim 3, wherein said 
differential-cryptanalysis resistance evaluating means is means for 
calculating the following equation 

ds (Ax, Ay) =#{jceGF(2)" \s\x) + S(x + Ax) = Ay} 

for every set of difference values (Ax, Ay) except Ax=0, and evaluating 
the resistfince of said function to said differential cryptanalysis based on a 
criterion defined by the following ^^quation 
A5 = max 5^ (Ax, Ay ) . 

6. A random function generating apparatus comprising: 
candidate function generating means for generating candidate 



functions each fori 
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led by a combination of a plurality of functions of 
different algebraic structures and having a plurality of parameters; 

resistance evaluating means for evaluating the resistance of each of 
said candidate functions to a cryptanalysis; and 

selecting means for selecting those of said resistance-evaluated 
candidate functions which have highly resistant to said cryptanalysis. 

7. The random mnction generating apparatus of claim 6, wherein one 
of said plurality of functions of different algebraic structures is resistant to 
each of differential crypi analysis and linear cryptanalysis. 

8. The random ft nction generating apparatus of claim 6 or 7, 
wherein said resistance evaluating means comprises at least one of: 

higher-order-differential cryptanalysis resistance evaluating means 
for: calculating the niininmm value of the degree of a Boolean polynomial 
for input bits by which output bits of each of said candidate functions are 
expressed; and evaluating the resistance of said each candidate function to 
higher order cryptanalysis rased on the result of said calculation; 

interpolation-cryptanalysis resistance evaluating means for: when 
fixing a key y and letting x opnote the input of said each candidate, 
expressing an output y by y 4 f^(x) using a polynomial over Galois field 
which is composed of elements equal to a prime p or a power of said prime 
p; calculating the number of terms of said polynomial; and evaluating the 
resistance of said each candidate function to interpolation cryptanalysis 
based on the result of said calculation; 

partitioning-cryptanalysis resistance evaluating means for: dividing 
all inputs of a function to be evamated and the corresponding outputs into 
input subsets and output subsets; cMculating an imbalance of the 
relationship between the subset of aminput and the subset of the 
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corresponding output with respect to their average corresponding 
relationship; and evaluating tne resistance of said function to partitioning 
cryptanalysis based on the result of said calculation; and 

differential-linear cryptanalysis resistance evaluating means for: 
calculating, for every set of inpu\ difference Ax and output mask value r y 
of a function S(x) to be evaluated^ the number of inputs x for which the 
inner product of (S(x)+S(x A x)) ana said output mask value r y is 1; and 
evaluating the resistance of said function to differential-linear cryptanalysis 
based on the result of said calculation. 

9. A method for evaluating the randomness of the input/output 
relationship of a function, said methoa comprising at least one of: 

(a) a higher-order-differential cryptanalysis resistance evaluating 
step of: letting said function be represented by S(x), calculating the 
minimum value of the degree of a Boolean polynomial for input bits of said 
function S(x) by which its output bits aie expressed; and evaluating the 
resistance of said function to higher ord&r cryptanalysis based on the result 
of said calculation; \ 

(b) a differential-linear cryptanalvsis resistance evaluating step of: 
calculating, for every set of input difference Ax and output mask value r y 
of a function S(x) to be evaluated, the nurnber of inputs x for which the 
inner product of (S(x)+S(x A x)) and said output mask value r y is 1; and 
evaluating the resistance of said function to\ differential-linear cryptanalysis 
based on the result of said calculation; \ 

(c) a partitioning-cryptanalysis resistance evaluating step of: dividing 
all inputs of a function to be evaiyated and the corresponding outputs into 
input subsets and output subsets; ^Iculating an imbalance of the 
relationship between the subset of an input and the subset of the 
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corresponding output with respect to their average corresponding 
relationship; and evaluating the resistance of said function to partitioning 
cryptanalysis based on the result of said calculation; and 

(d) an interpolation-cwptanalysis resistance evaluating step of: when 
fixing a key y and letting x denote the input of said each candidate, 
expressing an output y by y = rA(x) using a polynomial over Galois field 
which is composed of elements equal to a prime p or a power of said prime 
p; calculating the number of terrns of said polynomial; and evaluating the 
resistance of said function to interpolation cryptanalysis. 

10. The randonmess evak ating method of claim 9, wherein: 

rtanalysis resistance evaluating step (b) is 
a step of:, letting the input differeiice and output mask value of said function 
S(x) be representing by Ax and Ey, respectively, calculating the following 
equation for every set of said input difference A x except 0 and said output 
mask value r y except 0 

(Ajc, Ty) = |2x#{>: eGF(2)" |(S(i) + S(x + Ax) • Ty = 1} - 2" | 

calculating the maximum value S among the calculation results; and 
evaluating the resistance of said function to said differential-linear 
cryptanalysis using said value H ; and 

said partitioning-cryptanalysis rbsistance evaluating step (c) is a step 
of: dividing an input set F and an output set G of said function into u input 
subsets {Fq, Fi, ... , pu.i} and v output subsets {Gq, G^, ... , G^.^}; for each 
partition-pair (F^, Gj) (i = 0, ... , u-1; j = d 1, ... , v-1), calculating the 
maximum one of probabilities that all outouts y corresponding to all inputs x 
of the input subset Fj belong to the respective output subsets Gj (j = 0, ... , v- 
1); calculating a measure Is(F, G) of an average imbalance of a partition-pair 
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(F, G) based on all maximum values calculated for all partition pairs; and 
evaluating the resistance of said function to said partitioning cryptanalysis 
based on said measure, \ 

11. The randomness evaluating method of claim 9 or 10, further 
comprising at least one of: \ 

(e) a differential-cryptanalysis resistance evaluating step of: letting 
the output difference value of said function S(x) be represented by A x, 
calculating the number of inputs x that satisfy S(x)+S(x+S(x+ Ax)= Ay for 
every set (Ax, Ay) except Ax40; and evaluating the resistance of said 
function to differential cryptanalysis based on the result of said calculation; 
and \ 

(f) a linear-cryptanalysis resistance evaluating means for calculating, 
for said function S(x), the number of inputs x for which the inner product of 
the input x and its mask value r x is equal to the inner product of a function 
output value S(x) and its mask value\ r y and evaluating the resistance of 
said function to linear cryptanalysis based on the result of said calculation. 

12. The randomness evaluating method of claim 11, wherein, letting 
the number of bits of said input x be represented by n: 

said differential-cryptanalysis resistance evaluating step (e) is a step 
of: calculating the following equation 1 

ds i^x.Ay) ^#{xE:GF(2y \S(x) + + Ax) - Ay} 
for every set of difference values (Ax, lAy) except Ax=0; and evaluating 
the resistance of said function to said dirferential cryptanalysis based on a 
criterion defined by the following equation 

A^ = max (Ax, A>') ; and 1 

said linear-cryptanalysis resistance evaluating step (f) is a step of: 
letting the mask value of said input x be represented by r x, calculating the 
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following equation 



A5(rjc,ry\= 2x#[ce(2)"xT>: = 5(A:)Ty}-2" 



for every set of mask values (Fx, r y) except r y =0; and evaluating the 
resistance of said function to said linear cryptanalysis based on a criterion 
defined by the following equation 
= maxA5(rAry). 

13. A random mnction generating method comprising the steps of: 

(a) setting various values as each parameter for candidate functions 
and calculating output values corresponding to various input values; 

(b) storing the results of said calculation in storage means; and 

(c) evaluating the resistance of each of said candidate functions to a 
cryptanalysis based on values stored in said storage means, and selectively 
outputting candidate function highly resistant to said cryptanalysis; and 

wherein said step (c) comprising at lease one of: 
(c-1) a higher-order cryptanalysis resistance evaluating step of: 
calculating the minimum valu© of the degree of a Boolean polynomial for 
input bits of each of said candioate functions by which its output bits are 
expressed; evaluating the resistance of said each candidate function to 
higher order cryptanalysis based on the result of said calculation; and 
leaving those of said candidate functions whose resistance is higher than a 
predetermined first reference and discarding the others; 

(c-2) a differential-linear cryptanalysis resistance evaluating step of: 
calculating, for every set of input difference Ax and output mask value Ty 
of each candidate function S(x), the number of inputs x for which the iimer 
product of (S(x)+S(xAx)) and said output mask value Ty is 1; evaluating 
the resistance of said function to differential-linear cryptanalysis based on 
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the result of said calculation; and leaving those of said candidate functions 
whose resistance^is higher than a predetermined second reference and 
discarding the oth^s; 

(c-3) a partit^oning-cryptanalysis resistance evaluating step of: 
dividing all inputs o^\each candidate function and the corresponding outputs 
into input subsets and^output subsets; calculating an imbalance of the 
relationship between the subset of an input and the subset of the 
corresponding output with respect to their average corresponding 
relationship; evaluating tne resistance of said each candidate function to said 
partitioning cryptanalysislbased on the result of said calculation; and leaving 
those of said candidate functions whose resistance is higher than a 
predetermined third reference and discarding the others; and 

(c-4) an interpolation-cryptanalysis resistance evaluating step of: 
when fixing a key y and letting x denote the input of said each candidate, 
expressing an output y by y =\fk(x) using a polynomial over Galois field 
which is composed of elements equal to a prime p or a power of said prime 
p; calculating the number of teims of said polynomial; evaluating the 
resistance of said function to interpolation cryptanalysis; and leaving those 
of said candidate functions whose resistance is higher than a predetermined 
fourth reference and discarding tne others. 

14. The random function generating apparatus of claim 13, wherein: 

said differential-linear-cryptanalysis resistance evaluating step (c-2) 
includes a step of: letting the output mask value be represented by Ty, 
calculating the following equation for every set of said input difference Ax 
except 0 and said output mask value\ r y except 0 



(Ax, r>^) = |2x#{x e GF(2y + 5(x + Ax)) • ry - 1} - 2" I 
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calculating the maximum value 3 among the calculation results; and 
evaluating the resistance of said candidate function to said differential-linear 
cryptanalysis based\on said value S ; and 

said partitioningOcry\ptanalysis resistance evaluating step (3) includes a step 
of dividing an input set F and an output set G of said function into u input 
subsets {Fq, Fi, ... , p^.A and v output subsets {Gq, G^, ... , G^.i}; for each 
partition-pair (Fj, Gj) (i V 0, ... , u-1; j = 0, 1, ... , v-1), calculating the 
maximum one of probabilities that all outputs y corresponding to all inputs x 
of the input subset Fj belong to the respective output subsets Gj (j = 0, ... , v- 
1); calculating a measure l[s(F, G) of an average imbalance of a partition-pair 
(F, G) based on all maximum values calculated for all partition pairs; and 
evaluating the resistance of said candidate function to said partitioning 
cryptanalysis based on saidvmeasure. 

15. The random function generating method of claim 13 or 14, 
wherein: \ 

said step (c-1) includes a step of: when no candidate function 
remains undiscarded, easing the candidate function selecting condition by 
changing said first reference by\a first predetermined width, and executing 
again the evaluation and selecting process; 

said step (c-2) includes a step of: when no candidate function 
remains undiscarded, easing the candidate function selecting condition by 
changing said second reference by\a second predetermined width, and 
executing again the evaluation and selecting process; 

said step (c-3) includes a step of: when no candidate function 
remains undiscarded, easing the candidate function selecting condition by 
changing said third reference by a third predetermined width, and executing 
again the evaluation and selecting process; and 
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said step (c-4) includes a step of: when no candidate function 
remains undiscarded, easing the candidate function selecting condition by 
changing said fourth reference by a fourth predetermined width, and 
executing again the evaluation and selecting process. 

16. The random function generating method of claim 13 or 14, 
further comprising at least one of: 

(c-5) a differentlal-cryptanalysis resistance evaluating step of: 
calculating, for each candidate function S(x), the number of inputs x that 
satisfy S(x)+S(x+S(x+ Ak)= A y for every set (Ax, Ay) except A x; 
evaluating the resistance \of said each candidate function to differential 
cryptanalysis based on the result of said calculation; and leaving those of 
said candidate functions whose resistance is higher than a predetermined 
fifth reference and discarding the others; and 

(c-6) a linear-cryptanalysis resistance evaluating step of: calculating, 
for each candidate function, the number of inputs x for which the iimer 
product of the input x and itslmask value r x is equal to the inner product of 
a function output value S(x) and its mask value Ty; evaluating the 
resistance of said each candidate function to linear cryptanalysis based on 
the result of said calculation; qnd leaving those of said candidate functions 
whose resistance is higher thai^ a predetermined sixth reference and 
discarding the others. 

17. The random functioA generating method of claim 16, wherein: 
said differential-cryptanalysis resistance evaluating step (c-5) 

includes a step of: calculating the following equation 
ds (Ax, Ay) =#{jc e GF(2y |5(uc) + 5(x + Ax) = Ay} 

for every set of difference values (Ax, Ay) except ry=0; and evaluating 
the resistance of said each candidate function to said differential 



cryptanalysis based 
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iction generating method of claim 16 or 17, 



on a criterion defined by the following equation 
c,Ay); and 

said linear-crVptanalysis resistance evaluating step (c-6) includes a 
step of: calculating tne following equation 

A5(rjc,rj)= 2x#\Le(2)"|A:*rjc = 5(x)»ry}-2"| 

for every set of mask values (Fx, r y); and evaluating the resistance of said 
each candidate function to said linear cryptanalysis based on a criterion 
defined by the following equation 

18. The random 
wherein: 

said step (c-5) includes a step of: when no candidate function 
remains undiscarded, easina the candidate function selecting condition by 
changing said fifth references by a fifth predetermined width, and executing 
again the evaluation and selecting process; and 

said step (c-6) includes a step of: when no candidate function 
remains undiscarded, easing the candidate function selecting condition by 
changing said sixth reference by a sixth predetermined width, and executing 
again the evaluation and seleciing process. | y, 

19. The random function generating method of claim 13, i47-or457 
wherein said candidate functions are each a composite function composed of 
at least one function resistant tolsaid differential cryptanalysis and said 
linear cryptanalysis and at least one function of an algebraic structure 
different from that of said at leasi one function. 

20. A recording medium Having recorded thereon a random function 
generating method as a computer program, said program comprising the 
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steps of: 

(a) setting vamous values as each parameter for candidate functions 
and calculating output values corresponding to various input values; 

(b) storing the results of said calculation in storage means; and 

(c) evaluating the resistance of each of said candidate functions to a 
cryptanalysis based on values stored in said storage means, and selectively 
outputting candidate function highly resistant to said cryptanalysis; and 

wherein said step (c) comprising at lease one of: 

(c-1) a higher-order cryptanalysis resistance evaluating step of: 
calculating the minimum value of the degree of a Boolean polynomial for 
input bits of each of said candidate functions by which its output bits are 
expressed; evaluating the resistance of said each candidate function to 
higher order cryptanalysis based on the result of said calculation; and 
leaving those of said candidate functions whose resistance is higher than a 
predetermined first reference and discarding the others; 

(c-2) a differential-linear cryptanalysis resistance evaluating step of: 
calculating, for every set of input difference Ax and output mask value Ty 
of each candidate function S(x), the number of inputs x for which the inner 
product of (S(x)+S(xAx)) and said output mask value Ty is 1; evaluating 
the resistance of said function to oifferential-linear cryptanalysis based on 
the result of said calculation; and Idaving those of said candidate functions 
whose resistance is higher than a prl^determined second reference and 
discarding the others; 

(c-3) a partitioning-cryptanal>^is resistance evaluating step of: 
dividing all inputs of each candidate function and the corresponding outputs 
into input subsets and output subsets; calculating an imbalance of the 
relationship between the subset of an input and the subset of the 
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corresponding output with respect to their average corresponding 
relationship; evaluating the resistance of said each candidate function to said 
partitioning cryptanalysas based on the result of said calculation; and leaving 
those of said candidate functions whose resistance is higher than a 
predetermined third refereaice and discarding the others; and 

(c-4) an interpolatiqn-cryptanalysis resistance evaluating step of: 
when fixing a key y and letting x denote the input of said each candidate, 
expressing an output y by y 4 fi,(x) using a polynomial over Galois field 
which is composed of elements equal to a prime p or a power of said prime 
p; calculating the number of terms of said polynomial; evaluating the 
resistance of said function to interpolation cryptanalysis; and leaving those 
of said candidate functions whose resistance is higher than a predetermined 
fourth reference and discarding\the others. 

21. The recording medium of claim 20, wherein: 
said differential-linear-cr\ptanalysis resistance evaluating step (c-2) 
includes a step of: letting the output mask value be represented by Ty, 
calculating the following equation for every set of said input difference A x 
except 0 and said output mask value r y except 0 

(Ax, Ty) = |2x#{x G GF(2y |(5(l:) + 5(x + Ax)) • = 1} - 2" | ; 

calculating the maximum value H among the calculation results; and 
evaluating the resistance of said candidate function to said differential-linear 
cryptanalysis based on said value S ; and 

said partitioningOcryptanalysis resistance evaluating step (3) includes 
a step of dividing an input set F and an output set G of said function into u 
input subsets {Fq, F^, ... , pu-i} v output subsets {Gq, Gj, ... , G^.x}; for 
each partition-pair (F^, Gj) (i = 0, ... , u-1; vj = 0, 1, ... , v-1), calculating the 
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maximum one of probabilities that all outputs y corresponding to all inputs x 
of the input subset Fj belong to the respective output subsets Gj (j = 0, , v- 
1); calculating a measure Is(F, G) of an average imbalance of a partition-pair 
(F, G) based on all maximum values calculated for all partition pairs; and 
evaluating the resistance of said candidate function to said partitioning 
cryptanalysis based on said measure. 

22, The recordingWedium of claim 20 or 21, wherein: 

said step (c-1) includes a step of: when no candidate function 
remains undiscarded, easing the candidate function selecting condition by 
changing said first reference by a first predetermined width, and executing 
again the evaluation and selecting process; 

said step (c-2) includes a step of: when no candidate function 
remains undiscarded, easing the candidate function selecting condition by 
changing said second reference by a second predetermined width, and 
executing again the evaluation and selecting process; 

said step (c-3) includes! a step of: when no candidate function 
remains undiscarded, easing the candidate function selecting condition by 
changing said third reference by a third predetermined width, and executing 
again the evaluation and selecting process; and 

said step (c-4) includes a step of: when no candidate function 
remains undiscarded, easing the candidate function selecting condition by 
changing said fourth reference by\a fourth predetermined width, and 
executing again the evaluation ana selecting process. 

23. The recording medium ^f claim 20 or 21, wherein said program 
includesat least one of: 

(c-5) a differential-cryptanalVsis resistance evaluating step of: 
calculating, for each candidate function S(x), the number of inputs x that 
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satisfy S(x)+S(x+S(xH-lAx)=Ay for every set (Ax, Ay) except Ax; 
evaluating the resistance of said each candidate function to differential 
cryptanalysis based on the result of said calculation; and leaving those of 
said candidate functions whose resistance is higher than a predetermined 
fifth reference and discarding the others; and 

(c-6) a linear-cryptanalysis resistance evaluating step of: calculating, 
for each candidate function, the number of inputs x for which the inner 
product of the input x and its mask value r x is equal to the inner product of 
a function output value S [x) and its mask value r y ; evaluating the 
resistance of said each candidate function to linear cryptanalysis based on 
the result of said calculation; and leaving those of said candidate functions 
whose resistance is higher\than a predetermined sixth reference and 
discarding the others. 

24. The recording niedium of claim 23, wherein: 
said differential-cryntanalysis resistance evaluating step (c-5) 
includes a step of: calculating the following equation 
{Ax, Ay) =#{jceGF(2r |5(jc) + S(x + Ax) = Ay} 

for every set of difference values (Ax, Ay) except ry=0; and evaluating 
the resistance of said each candidate function to said differential 
cryptanalysis based on a criterion defined by the following equation 
A^ = max 65 (Ax, Ay ) ; anc 

said linear-cryptanalysi^ resistance evaluating step (c-6) includes a 
step of: calculating the following equation 



(rx, Ty) = 2x# {x: e (2)" Ix • Fx = 5(jc) • r>^} - 2" | 



for every set of mask values (Fx, \ Ty); and evaluating the resistance of said 
each candidate function to said linear cryptanalysis based on a criterion 
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defined by the foUov^ing equation 

25. The recortUng medium of claim 23 or 24, wherein: 
said step (c-5) includes a step of: when no candidate function 
remains undiscarded, easing the candidate function selecting condition by 
changing said fifth reference by a fifth predetermined width, and executing 
again the evaluation and selecting process; and 



said step (c-6) inc 
remains undiscarded, easi 



udes a step of: when no candidate function 
g the candidate function selecting condition by 



changing said sixth reference by a sixth predetermined width, and executing 



again the evaluation and selecting process. 
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26. The recording medium of claim 20, 2i7w22, wherein said 
candidate functions are each a composite function composed of at least one 
function resistant to said difBerential cryptanalysis and said linear 
cryptanalysis and at least one function of an algebraic structure different 
from that of said at least one function. 

27. A recording medium having recorded thereon as a program a 
method for evaluating the randonmess of the input/output relationship of a 
function, said program comprising at least one of: 

(a) a higher-order-differential cryptanalysis resistance evaluating 
step of: letting said function be represented by S(x), calculating the 
minimum value of the degree ofi a Boolean polynomial for input bits of said 
function S(x) by which its output bits are expressed; and evaluating the 
resistance of said function to higl\er order cryptanalysis based on the result 
of said calculation; 

(b) a differential-linear cryptanalysis resistance evaluating step of: 
calculating, for every set of input difference A x and output mask value r y 
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of a function S(x) to be evaluated, the number of inputs x for which the 
inner product of (S(x)Ws(x Ax)) and said output mask value r y is 1; and 
evaluating the resistance of said function to differential-linear cryptanalysis 
based on the result of said calculation; 

(c) a partitioning-cryptanalysis resistance evaluating step of: dividing 
all inputs of a function to be evaluated and the corresponding outputs into 
input subsets and output subsets; calculating an imbalance of the 
relationship between the subset of an input and the subset of the 
corresponding output with respect to their average corresponding 
relationship; and evaluating me resistance of said function to partitioning 
cryptanalysis based on the result of said calculation; and 

(d) an interpolation-cryptanalysis resistance evaluating step of: when 
fixing a key y and letting x denote the input of said each candidate, 
expressing an output y by y = 4(x) using a polynomial over Galois field 
which is composed of elements equal to a prime p or a power of said prime 
p; calculating the number of terms of said polynomial; and evaluating the 
resistance of said function to interpolation cryptanalysis. 

28. The recording medium of claim 27, wherein: 

said differential-linear cryptanalysis resistance evaluating step (b) is 
a step of:, letting the input difference and output mask value of said function 
S(x) be representing by Ax and iTy, respectively, calculating the following 
equation for every set of said inpu^t difference Ax except 0 and said output 
mask value r y except 0 

(Ax, Ty) - 2x#{jc e GF(2)" \(S(x) + 5(jc + Ax) • = 1} - 2" | ; 

calculating the maximum value S among the calculation results; and 
evaluating the resistance of said function to said differential-linear 
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cryptanalysis using saia value S ; and 

said partitioningAcryptanalysis resistance evaluating step (c) is a step 
of: dividing an input set ^ and an output set G of said function into u input 

subsets {Fq, Fi, , Fu.i} arid v output subsets {Gq, G^, , G^.i}; for each 
partition-pair (Fi, (i = OX.. , u-1; j = 0, 1, ... , v-1), calculating the 
maximum one of probabilities that all outputs y corresponding to all inputs x 
of the input subset Fj belong to the respective output subsets Gj (j = 0, ... , v- 
1); calculating a measure Is(F, G) of an average imbalance of a partition-pair 
(F, G) based on all maximum values calculated for all partition pairs; and 
evaluating the resistance of sai d function to said partitioning cryptanalysis 
based on said measure. 

29. The recording medium of claim 27 or 28, said program further 
comprising at least one of: 

(e) a differential-cryptarialysis resistance evaluating step of: letting 
the output difference value of said function S(x) be represented by Ax, 
calculating the number of inputs x that satisfy S(x)+S(x+S(x+ Ax)= Ay for 
every set (Ax, Ay) except A x=Oc and evaluating the resistance of said 
function to differential cryptanalysis based on the result of said calculation; 
and 

(f) a linear-cryptanalysis resistance evaluating means for calculating, 
for said function S(x), the number of inputs x for which the inner product of 
the input x and its mask value r x is equal to the inner product of a function 
output value S(x) and its mask value r y and evaluating the resistance of 
said function to linear cryptanalysis based on the result of said calculation. 

30. The recording medium oi claim 29, wherein, letting the number 
of bits of said input x be represented py n: 

said differential-cryptanalysisl resistance evaluating step (e) is a step 
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of : calculating the mllowing equation 

ds{^x,Ay)=#{k^GF(2y |5(jc) + 5(jc + Ax) = Ay} 

for every set of difference values (Ax, Ay) except Ax=0; and evaluating 
the resistance of said function to said differential cryptanalysis based on a 
criterion defined by the 'following equation 
A^ = max 5^ (Ax, A});) ; and 

said linear-cryptanalysis resistance evaluating step (f) is a step of: 
letting the mask value of pid input x be represented by r x, calculating the 
following equation 



(rx, Ty) = 2x# {x S (l)" |x • Fx = 5(x) • } - 2" 



for every set of mask values (Fx, Ty) except ry=0; and evaluating the 
resistance of said function to said linear cryptanalysis based on a criterion 
defined by the following equation 

As =maxA5(rx,r>;), 



